Krebs on Security

In-depth security news and investigation

Fraud Bazaar Carders.cc Hacked

Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.

The breach involves at least three separate files being traded on Rapidshare.com: The largest is a database file containing what appear to be all of the communications among nearly 5,000 Carders.cc forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, e-mail addresses and in many cases the passwords of Carder.cc forum users.

A third file — which includes what appear to be Internet addresses assigned to the various Carders.cc users when those users first signed up as members — also features a breezy explanation of how the forum was compromised. The top portion of this file — which is accompanied by an ASCII art picture of a cat — includes an oblique reference to the party apparently responsible for the Carders.cc site compromise, noting that the file is the inaugural issue of Owned and Exposed, no doubt the first of many such “e-zines” to come from this group.

Ironically, the anonymous authors of the e-zine said they were able to compromise the criminal forum because its operators had been sloppy with security. Specifically, they claimed, the curators of Carders.cc had set insecure filesystem permissions on the Web server, which essentially turned what might have been a minor site break-in into a total database compromise. From the e-zine’s opening salvo:

Many of you guys may have noticed this breeding German “underground” shit called carders.cc. For those who don’t: Carders is a marketplace full of everything that is illegal and bad. Carding, fraud, drugs, weapons and tons of kiddies. They used to be only a small forum, but after we erased 1337-crew they got more power. The rats left the sinking ship. The voices told us to own them since carders is our fault and we had to fix our flaw. So we did.

During the ownage they also gave us lulz by showing off their ridiculous configuration skills which had a specific impact on their security. They actually managed to chmod and chown nearly everything to 777 and www-user readable. Including their /root directory.

On the surface, it’s tempting to grin at the misfortune of these fraudsters. Still, the leaked database contains no small amount of password and banking information for many innocent victims. In addition, these types of vigilante attacks typically come with hidden costs: For one thing, while it may be true that law enforcement officials could use some of this information to locate people engaged in computer trespass, and buying or selling stolen personal and financial data, the public release of this information could just as easily prompt those individuals to abandon those accounts and Internet addresses, and even potentially jeopardize ongoing investigations.

This entry was posted on Tuesday, May 18th, 2010 at 9:05 pm and is filed under A Little Sunshine, Web Fraud 2.0.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

44 comments

“…the leaked database contains no small amount of password and banking information for many innocent victims.” Which was already known to many criminals. Having it known that anyone can check to see if their info is there is much better than having it known only to criminals who are going to use it.

It is more than “tempting to grin at the misfortune of these fraudsters”. Yes, vigilante acts often have negative consequences, but this is one instance with minimal downside risk. I wish the stolen consumer credit card data hadn’t been released onto Rapidshare, but that obviously wasn’t going to be sifted out and scrubbed by the vigilante group.

I wonder if there will be a second issue of “Owned and Exposed”? This was nice reporting by Krebs, particularly the ASCII art image! I considered this Digg-worthy, and acted accordingly!

Off topic, but I will boycott any movie that has been released previously. I’m sick of non-original content. The movie and recording industry get extremely bent over piracy, but when it comes to lazy remakes they can’t get enough.

Hey Dana, welcome. It’s hard to say. The sensitive consumer stuff that’s obviously stolen is mixed in with the chatter on the board and interspersed with private messages, facebook passwords, etc. not easy to search through. If I had the thing in a real database format that might be easier, but not at the moment.

Hello Community, first i have to say: Sorry for my bad english.
Some people know me from Carders.cc i was 2nd lvl and had 400 Posts.
I dodnt know whot you are think whot happens, the Database was ILLEGAL HACKED so why they can you it for an Evidence ?? I tell you that they cant.
All my Hard Drives are cleaned and they cant find everything!!!
So happy hacking, carders.cc comes back you cannot kill us with a Simple Website Hack…

Somehow I suspect Carders.cc didn’t have routine PCI audits completed. They existed entirely to resell stolen information, so auditors aren’t much of a concern. Although, ironically they probably could have benefited from following the practices laid out in the PCI guidelines.

I checked the PCI DSS and it states “PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted”, it does not distinguish between lawful or illegal storage.

Depending on the number of credit card numbers, they may have just submitted a self assessment questionnaire. However, since they were breached they could not have been compliant.

Something odd that Brian did not intend. A simple click on carderscc.png shows just fine. But a go-back wrongly returns to the URL prior to krebsonsecurity – not nice to do. This happens with both FF and IE. Bringing up the .png in a new tab or window has a correct Referring URL but (of course) go-back doesn’t work.

I would love to have a copy of those files, even sanitized and without password or credit card information, but they seem were taken down from Rapidshare. Since they purportedly contain negotiations, I’m curious how those criminals trust each other when dealing between them. Also, were they using german, english or a jumble or Est-European languages when communicating ? If Solaro is indeed one of them, he hardly seems bilingual…

looks like the vulnerably was in the ipz.php file, i think they get into that website through RFL 0d4y ( published exploit but old one ), as long they don’t secure on them filesystem, was good enough to pwn them xD…